We've seen a bunch of critical messages about GoDaddy go over the list in the last few days. I'm happy to extend an invitation to someone at the company if they want to reply. The closest we've seen so far is this: http://news.com.com/5208-1025_3-0.html?forumID=1&threadID=24518&messageID=232062 "I am Ben Butler, the Director of Network Abuse at Go Daddy and I want to personally address your posts regarding SecLists.org... An important issue I would ask you to consider is one that is a top priority for us at Go Daddy ? child exploitation or even the potential for it... I don't know of any parent who wouldn't want their child?s username and password protected." Previous Politech message: http://www.politechbot.com/2007/01/29/response-to-godaddys/ -Declan -------- Original Message -------- Subject: Re: [Politech] More experiences with GoDaddy, free speech, and domain deletion [fs] Date: Fri, 26 Jan 2007 10:52:28 -0800 From: Tom Collins <tom@private> To: Declan McCullagh <declan@private> References: <45BA335B.2030306@private> Declan, A good friend ran into a serious problem with GoDaddy. He had a dedicated server with them, and when he confronted his sysadmin about using the server to host sites for other people, the sysadmin freaked out. Since the sysadmin had access to the GoDaddy account, he was able to renew the domain registration with his credit card, change the password and change the Registrant info. As a result, my friend has lost complete control over the domain. Since the sysadmin made the last payment on the account, he now "owns" it. My friend lives in Scottsdale, where GoDaddy headquarters is located, but there isn't a physical office you can visit (no surprise there). To regain control of the domain, he needs to sue the sysadmin and get a court order to force GoDaddy to hand the domain back. As a result, he's registered a new domain name for their company (using Dotster) and I'm hosting the site and email for them. What a mess. -Tom -------- Original Message -------- Subject: Re: [Politech] MySpace, GoDaddy pull plug on computer security domain name without warning [fs] Date: Mon, 29 Jan 2007 23:33:53 -0500 From: Jim Davidson <davidson@private> Reply-To: davidson@private To: Declan McCullagh <declan@private> References: <45B9C4BE.9060301@private> Dear Declan, Your comments are completely appropriate throughout. MySpace has terrible log-in security. There is no way to get an SSL link to log in securely. As I understand it, all MySpace passwords are user generated, so many of them are undoubtedly words found in the dictionary. Many users have fairly obvious e-mail addresses, too, which is what passes for a user name. So, learn a user's e-mail address (often by simply looking at their MySpace page or a web link from their MySpace page) and then their password may be one encrypted dictionary away. If MySpace is serious about security, it can take a number of steps. Adding https connections, at least as an option, lets those who have decent passwords keep them private. MySpace could add server generated usernames or passwords, or at least offer replacement passwords that are reasonably strong server-generated random character strings. Another very frequent problem I've encountered is bot-generated pages on MySpace. Many of these pages come up with a covering image that asserts the content is protected and for adults only, click on the image to get special log in instructions. Endless phishing goes on with MySpace log-in look-alike pages. It is a minefield trying to keep a MySpace page secure. I see many of my friends lose their passwords and then the bulletin board gets loaded with spam apparently from their hijacked account. One friend clicked on a MySpace message he received, found an offer for a nude video of Britney Spears, clicked that, his MySpace session was suddenly "lost" and he found himself at a screen requesting login. So, of course, he logged in to a phishing site. Yahoo mail and other sites such as Google don't have these apparent difficulties. What do they do differently? I used to have to click a particular link to get to Yahoo's SSL login, but now it seems to be the default. Gmail has always had SSL login screens. Given user selected usernames and passwords, SSL seems essential, to me. MySpace seems to be run by amateurs, so it is not surprising that they didn't bother to go to the site's owner before going to the registrar demanding the plug be pulled. As for GoDaddy, I find their attitude idiotic. Most of the people I know are moving toward Tucows registrars (WontonGold is a good one) or other alternatives. Yes, GoDaddy can act as judge, jury, and executioner. But should they? And, if they are going to sit in judgement, doesn't the accused have rights? Right to present evidence in his defense, to confront witnesses against him, to confront their testimony, to take corrective action before having his domain eliminated? Assuming these rights are not present in the GoDaddy contract, then only a fool would register with GoDaddy. Or perhaps a prospective litigant. The principles of liberty embodied in the constitution are not just a bunch of complex ideas. They are the distillation of hundreds of years of common law and thousands of years of mercantile law. Treating the accused with respect for certain rights is better for everyone, not just the accused. It makes for better results, a greater chance that justice prevails, it reduces the potential for miscarriage of justice, for hard feelings, and for bitterness. Heavy handed brutality and torture may appeal to the socialists, but they are wrong. They've always been wrong. Private property and individual liberty make for a better society. Regards, Jim http://indomitus.net/ _______________________________________________ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/)
This archive was generated by hypermail 2.1.3 : Tue Jan 30 2007 - 00:29:06 PST